Hi in our application we run searches in the following ways. And we suspect some discrepancy when using splunk.search.dispatch
Enter the query in the search page and run it. Here the search query runs fully and returns more than 50,000 events.
Run Scheduled Saved Searches using savedsearches.conf which collects data into another index. Here also the query runs fully and inserts all events into the index.
Running search in python using splunk.saved.dispatchSavedSearch
The query runs fine and the events are collected to index without gettting truncated.
Running search in python using splunk.search.dispatch
and save the results csv as string. Here when the results are more than 50,000 or something it gets truncated. I am not sure about the count though but definitely there is some discrepancy in the search results.
What can go wrong with splunk.search.dispatch
?
The REST API has limitation in sending the search results...
Refer these links for more details and sample implementation
http://answers.splunk.com/answers/52782/100-result-limit-in-js-sdk.html
http://dev.splunk.com/view/python-sdk/SP-CAAAEK2
The REST API has limitation in sending the search results...
Refer these links for more details and sample implementation
http://answers.splunk.com/answers/52782/100-result-limit-in-js-sdk.html
http://dev.splunk.com/view/python-sdk/SP-CAAAEK2